New data on privacy policies shows 20 percent of sites may sell data

PrivacyChoice hopes to create a "Wikipedia for Privacy Policies."

For most people, privacy policies are the boring fine print in a website you may visit. They're nearly always written in legalese, unintelligible to the average person, and on top of that many of them don't even say that much.

Overall, it's hard to imagine a group of documents that could be more sleep-inducing than online privacy policies. The rub is, they're actually important. In the absence of any federal online privacy laws, the policies are actually the only way for a user to find out what various services are doing with her information.

Privacy policies are also the only basis for enforcement from bodies like the Federal Trade Commission. Since the government can't actually sue a company for having sketchy privacy policies for adult users, it has to nab companies when they have violated their own stated privacy policies. That's what happened when the FTC managed to force both Facebook and Google into privacy-related settlements. The fact that privacy policies are key to enforcement actually creates a perverse incentive: the less a company says in its privacy policy, the better its protection from government scrutiny.

While indecipherable documents are currently users' only protection against a world of unlimited sharing of their data, Jim Brock, founder of PrivacyChoice, thinks he has at least part of the answer to that conundrum. His team at PrivacyChoice has scored the privacy policies of more than 4,000 websites; this week, he released data on 2,500 of them. What's been revealed so far is illuminating and a bit disturbing.

The PrivacyChoice system comes up with scores based on two groups of policies. One is the policy of the site itself and the other part of the score comes from the privacy policies of the various third-party "tracking" companies that are on the site, usually in the form of advertisements.

For the actual site, the score is based on four factors that consumers are most concerned about, says Brock. The first and most important factor is whether the sites share personal data. Of the top 2,500 sites, 63 percent of them promise that they generally don't share data, another 10 percent don't share data for marketing purposes (apple.com falls into this category), and about 8 percent don't collect personal data at all. That leaves 20 percent of sites that make no promise about whether they sell personal data or not.

It's worth thinking twice about what's going on with your data at those 20 percent of sites, says Brock—especially if they ask to link up to your Facebook profile. (I'm looking at you, Pandora.)

"If they don't have a strong statement that they won't share personal data, you've got to think twice before you let them have your Facebook profile," says Brock. "That's the mother lode of data. People are not as conscious of that as you might expect."

The next most-important factor is whether a site will delete your data upon request. 60 percent of sites make no promises that they'll delete your data. Three percent of site policies "contemplate a data removal process, but reserve exceptions for purposes such as transaction auditing and backup storage," according to PrivacyChoice. Meanwhile, 38 percent either don't retain data or have a process for data removal.

As for the trackers, the score is weighted based on how much a particular ad network comes up on a site. The idea is to get a sense of what kind of policies occupy the mainstay of a site's pages, says Brock. "If you have one high-quality ad network on all your pages and one lousy ad network on two pages, you shouldn't be punished too much for that," he explains.

The tracking companies are assessed based on, first, whether they protect user anonymity: in other words, are they compiling a profile of user 64125's browsing habits, or a profile of Joe Mullin's browsing habits? (Most ad networks do maintain a commitment to anonymizing user data.) Other factors include how long they retain data, and whether they adhere to certain industry self-regulation standards.

One big site with an unexpectedly high ranking: Facebook

One thing that surprises many PrivacyChoice users is that Facebook, a company that has become synonymous with the unstable state of privacy online, actually has a very high score: 94 out of 100. That's because the site uses mostly in-house ads, and because the site's privacy policy is actually pretty good. But it's important to note that individual Facebook apps have their own scores, and those small app developers may get your Facebook data and then share it in ways that Facebook itself wouldn't.

With Facebook, protecting your privacy is mostly about being aware of one's own settings. "It's really hard to put into a score box," says Brock. "Facebook isn't on or off, it's a series of decisions you have to make." And users of PrivacyFix, the plug-in that shows these privacy scores, are made aware of many other Facebook issues, including FTC action against the site.

PrivacyChoice's next move is to create a kind of "privacy Wikipedia." The basis of PrivacyChoice's data has been compiled using a paid team of reviewers, but Brock says he's had good responses from people who want to help build out the project.

"We want to be able to get more companies rated, and we want those ratings to be available not just for our apps but for other people," says Brock. "The goal is to get to 10,000 [companies rated], and to get there with the crowd."

To that end, they've created a special browser extension that makes looking at policies easier. Brock explains in this week's blog post:

Analysts use a special Chrome browser extension with a review console to make policy evaluations efficient and accurate. In each review category — such as “Data Sharing” — keyword highlighting emphasizes the passages most likely to relate to the topic. It also captures and submits the classification and related text, which is then subject to peer review and algorithmic validation. Analysts can select any site policy they want to review, or can call for assignments through the extension. PrivacyChoice also monitors policy pages to tell when policies change, and automatically directs reviewers to update the analysis when necessary.

For those who want to explore what their favorite sites rate can download the PrivacyFix extension or check individual site scores here. More information about assisting with the crowd-sourcing aspect of the project is available at PrivacyChoice as well.

With the increase in blatant, indiscriminate and insidious personal information fishing and sharing that goes on I am becoming a real stickler for privacy. So much so that anytime that any information about me is asked or required, my first thought is "FOAD" and then I proceed to give BS info.

I say the Facebook score is a load of crap... I deleted my account more than 2 years ago and still get crap from facebook to activate it again - at least 2-3 times a week. About a year ago I activated it to see if my data was actually deleted... and the answer was a big NOPE! all my crap was still there... SO I went and followed the steps again to deactivate and permanently remove the account... received the confirmation email and still get emails every week to activate my account...

Not to mention how only recently have peoples deleted items actually start to get purged... and even then it still appears to be hit or miss...

Edit: To add to this, right below the score it says "Privacy Issues" and Photo deletion failure (Feb 2012). To me that sounds like NOT deleting files upon user request. Though the issue is better now - Feb 2012 was not even a year ago, why is this site giving facebook a pass on this?

I say the Facebook score is a load of crap... I deleted my account more than 2 years ago and still get crap from facebook to activate it again - at least 2-3 times a week. About a year ago I activated it to see if my data was actually deleted... and the answer was a big NOPE! all my crap was still there... SO I went and followed the steps again to deactivate and permanently remove the account... received the confirmation email and still get emails every week to activate my account...

Not to mention how only recently have peoples deleted items actually start to get purged... and even then it still appears to be hit or miss...

I say the Facebook score is a load of crap... I deleted my account more than 2 years ago and still get crap from facebook to activate it again - at least 2-3 times a week. About a year ago I activated it to see if my data was actually deleted... and the answer was a big NOPE! all my crap was still there... SO I went and followed the steps again to deactivate and permanently remove the account... received the confirmation email and still get emails every week to activate my account...

Not to mention how only recently have peoples deleted items actually start to get purged... and even then it still appears to be hit or miss...

I say the Facebook score is a load of crap... I deleted my account more than 2 years ago and still get crap from facebook to activate it again - at least 2-3 times a week. About a year ago I activated it to see if my data was actually deleted... and the answer was a big NOPE! all my crap was still there... SO I went and followed the steps again to deactivate and permanently remove the account... received the confirmation email and still get emails every week to activate my account...

Not to mention how only recently have peoples deleted items actually start to get purged... and even then it still appears to be hit or miss...

Not sure if this is your case, but I've gotten these from at least two jokers with the same first and last name who signed up for things without knowing their own email address. Since they, naturally, forgot the password within minutes, after multiple lost password emails I finally signed in for them and deleted the account.

The most important aspects, in this connected world, in the relationship between companies and end users; indemnity and ownership. The end user agrees to indemnify any company whose products or services the end user utilizes in any manner and said company retains exclusive ownership of the information culled from any and all transactions between the end user and the made-available-after-clicking-Agree product or service.

I (will) know exactly which sites leak/sell my data. Ever since I got my own domain, I've been making site specific e-mail addresses to register. I'm actually not deleting any spam that comes in on those e-mail addresses so it's only a matter of time before I can see if the e-mails I'm recieving are being targeted on the subject the site I used it on covers.

The positive news is that not many appear to be selling/leaking to spammers, since the amount of spam on these addresses is generally low to non existent.

The other thing of course is that profiling me becomes harder since they can't link data using my e-mail address. I also use different usernames on different forums. Sometimes they will be similar, but never exactly the same. If they allow space I may for example use the same name as here without the underscore. If no special characters are allowed I will either leave out the whole part after the underscore or just leave the underscore out.

Facebook surprises me but in some ways it may avoid this by not directly selling your information. Although their are plenty of Facebook Apps that people allow to share personal information with. In fact my wife had her Facebook account hacked and a couple months later we had a couple credit card charges for a dating service called Zoosk.com for $50 each. After checking her Facebook account I found not only a Zoosk App but countless other strange apps that seem to have been installed around the time her account was hacked. People need to realize that "Free" is not always free. Facebook relies on ads and Apps for revenue. Not the user. But the user suffers a loss of personal information many times without their exclusive permission because they fail to read the small print when using those apps.I just closed my Google account because of what I feel is Google's constant quest to increase revenue.I do not trust them to use my information correctly.

Privacy isn't really that hard. Use private browsing, turn off third party cookies, and reset your router periodically (for a fresh IP). That way, each internet session is unique and the only cookies you will have are from the sites you actually visit. If you are really paranoid, there are a ton of firefox extensions that are even more thorough.

Privacy isn't really that hard. Use private browsing, turn off third party cookies, and reset your router periodically (for a fresh IP). That way, each internet session is unique and the only cookies you will have are from the sites you actually visit. If you are really paranoid, there are a ton of firefox extensions that are even more thorough.

Put these two addon into Firefox and you can forget the extra steps your taking. Ars is sending your info out to eleven other companies. Ghostery"Ghostery is a browser tool available for Firefox, Chrome, Safari, Opera, Internet Explorer, as well as a standalone app available for iOS. It scans the page for trackers - scripts, pixels, and other elements - and notifies you of the companies whose code is present on the webpage you are visiting. These trackers often aren't otherwise visible and are often not detailed in the page source code. Ghostery allows you to learn more about these companies and their practices, and block the page elements from loading if the user chooses." and Do Not Track Plus also blocks your info from going out.

Privacy isn't really that hard. Use private browsing, turn off third party cookies, and reset your router periodically (for a fresh IP). That way, each internet session is unique and the only cookies you will have are from the sites you actually visit. If you are really paranoid, there are a ton of firefox extensions that are even more thorough.

Put these two addon into Firefox and you can forget the extra steps your taking. Ars is sending your info out to eleven other companies. Ghostery"Ghostery is a browser tool available for Firefox, Chrome, Safari, Opera, Internet Explorer, as well as a standalone app available for iOS. It scans the page for trackers - scripts, pixels, and other elements - and notifies you of the companies whose code is present on the webpage you are visiting. These trackers often aren't otherwise visible and are often not detailed in the page source code. Ghostery allows you to learn more about these companies and their practices, and block the page elements from loading if the user chooses." and Do Not Track Plus also blocks your info from going out.

You two should not forget this article from a couple years back, about how your combination of plugins designed to obscure your identity actually can counterintuitively do the opposite:

I say the Facebook score is a load of crap... I deleted my account more than 2 years ago and still get crap from facebook to activate it again - at least 2-3 times a week. About a year ago I activated it to see if my data was actually deleted... and the answer was a big NOPE! all my crap was still there... SO I went and followed the steps again to deactivate and permanently remove the account... received the confirmation email and still get emails every week to activate my account...

Judging by the actual e-mail... do you have a particularly short/common name for your gmail address? Sounds like this is idiots who are accidentally signing up for accounts using your e-mail. That actually means that your account *was* deleted, or they wouldn't be able to try to sign up with the same e-mail.

What is more scary than Facebook is when you make a credit card purchase online with some payment processors -- I just had a debate with Avangate support personnel, when I asked how long they keep personal data after transaction they have told me that they never delete any data (credit card numbers most likely included). Go figure.

The part about Facebook and the apps that exist within Facebook being scored separately really deflated my confidence in any of the other results. At the very least, they should have also calculated the score of both apps within Facebook and Facebook itself as one, then show the separate scores as well. Just b/c Facebook is 'secure' itself does not mean that it's users' data is secure - which was the point of the report in the first place.